A newly disclosed high-severity vulnerability in the OttoKit plugin (formerly known as SureTriggers) has entered active exploitation within hours of its public disclosure. Posing serious risks to WordPress websites that use the automation tool.
The vulnerability, tracked as CVE-2025-3102 and carrying a CVSS score of 8.1, allows unauthenticated attackers to bypass authorization controls and create new administrator accounts. Effectively handing them full control of affected websites.
How the Exploit Works
The flaw resides in OttoKit’s authenticate_user function, which fails to properly validate the secret_key value. The issue affects all plugin versions up to and including 1.0.78, and can be exploited only if the plugin is installed, activated, and left unconfigured. Specifically without setting an API key. “Unauthenticated attackers can exploit this bug to create administrator accounts when the plugin is active but not yet configured,” explained István Márton, a researcher at Wordfence.
OttoKit (formerly SureTriggers) is a popular WordPress automation plugin with over 100,000 active installations. Enabling users to link apps and automate workflows.
Attackers Already Exploiting the Flaw
The vulnerability was originally reported by Michael Mazzolini (aka mikemyers) on March 13, 2025, and patched in version 1.0.79 released on April 3, 2025.
However, attackers wasted no time. Within hours of public disclosure, threat actors began exploiting the flaw. Creating rogue admin accounts to gain access and take over affected sites.
WordPress security firm Patchstack reports that attackers are creating fake admin accounts using randomly generated usernames, such as "xtw1838783bc". They warn that usernames, passwords, and email addresses will likely vary with each attempt, making detection more difficult.
The attacks have so far been traced to the following IP addresses:
- IPv6:
2a01:e5c0:3167::2 - IPv4:
89.169.15.201
Once inside, attackers can install malicious plugins, deface websites, inject malware, send spam, or redirect visitors to fraudulent pages. Effectively turning the compromised site into an attack platform.
How to Protect Your WordPress Site
While not all 100,000 OttoKit installations are vulnerable — since the exploit only applies to plugins that are installed but left unconfigured . The risk remains substantial for many users.
If you use OttoKit on your WordPress site, take the following steps immediately:
- Update the plugin to version 1.0.79 or later
- Audit your admin accounts for suspicious entries
- Delete any unknown or newly added administrator accounts
- Check your plugin settings to ensure proper API key configuration
- Monitor access logs and failed login attempts for unusual activity
Website owners are also urged to enable two-factor authentication (2FA) for admin accounts and consider installing a security plugin that monitors for privilege escalation and unauthorized changes.
This OttoKit vulnerability highlights the ongoing risks associated with WordPress plugins, particularly those with broad functionality and high install counts. It also serves as a reminder to site owners: a plugin isn’t truly safe unless it’s configured correctly and kept up to date.
With active exploitation already underway, applying the latest patch and reviewing your admin access logs could mean the difference between a secure website and a full-scale compromise.
